@tronsfey/ucli 0.4.1 → 0.4.3

package/dist/index.js

@@ -1,5 +1,7 @@
 #!/usr/bin/env node
-import "./chunk-NNFC34A5.js";
+import { createRequire as __createRequire } from "module";
+const require = __createRequire(import.meta.url);
+import "./chunk-FJU3QOHW.js";
 
 // src/index.ts
 import { Command } from "commander";
@@ -8,7 +10,61 @@ import { createRequire as createRequire2 } from "module";
 // src/config.ts
 import Conf from "conf";
 import { homedir } from "os";
-import { join } from "path";
+import { join, dirname } from "path";
+import { chmodSync, mkdirSync } from "fs";
+
+// src/lib/config-encryption.ts
+import {
+  createCipheriv,
+  createDecipheriv,
+  randomBytes,
+  pbkdf2Sync
+} from "crypto";
+import { hostname, userInfo } from "os";
+var ENC_PREFIX = "enc:v1:";
+var ALGORITHM = "aes-256-gcm";
+var SALT_LEN = 32;
+var IV_LEN = 12;
+var TAG_LEN = 16;
+var PBKDF2_ITERATIONS = 1e5;
+function deriveKey(salt) {
+  let user = "default";
+  try {
+    user = userInfo().username;
+  } catch {
+  }
+  const material = `ucli:${user}@${hostname()}`;
+  return pbkdf2Sync(material, salt, PBKDF2_ITERATIONS, 32, "sha512");
+}
+function encryptValue(plaintext) {
+  const salt = randomBytes(SALT_LEN);
+  const key = deriveKey(salt);
+  const iv = randomBytes(IV_LEN);
+  const cipher = createCipheriv(ALGORITHM, key, iv);
+  const encrypted = Buffer.concat([cipher.update(plaintext, "utf8"), cipher.final()]);
+  const tag = cipher.getAuthTag();
+  const packed = Buffer.concat([salt, iv, tag, encrypted]);
+  return ENC_PREFIX + packed.toString("base64");
+}
+function decryptValue(stored) {
+  if (!stored.startsWith(ENC_PREFIX)) {
+    return stored;
+  }
+  const packed = Buffer.from(stored.slice(ENC_PREFIX.length), "base64");
+  const salt = packed.subarray(0, SALT_LEN);
+  const iv = packed.subarray(SALT_LEN, SALT_LEN + IV_LEN);
+  const tag = packed.subarray(SALT_LEN + IV_LEN, SALT_LEN + IV_LEN + TAG_LEN);
+  const encrypted = packed.subarray(SALT_LEN + IV_LEN + TAG_LEN);
+  const key = deriveKey(salt);
+  const decipher = createDecipheriv(ALGORITHM, key, iv);
+  decipher.setAuthTag(tag);
+  return Buffer.concat([decipher.update(encrypted), decipher.final()]).toString("utf8");
+}
+function isEncrypted(value) {
+  return value.startsWith(ENC_PREFIX);
+}
+
+// src/config.ts
 var conf = new Conf({
   projectName: "ucli",
   schema: {
@@ -17,18 +73,35 @@ var conf = new Conf({
   }
 });
 var cacheDir = join(homedir(), ".cache", "ucli");
+function hardenConfigPermissions() {
+  try {
+    const configPath = conf.path;
+    const configDir = dirname(configPath);
+    mkdirSync(configDir, { recursive: true, mode: 448 });
+    chmodSync(configDir, 448);
+    chmodSync(configPath, 384);
+  } catch {
+    console.warn("Warning: Could not enforce restrictive file permissions on config. Token is encrypted but file permissions may be permissive.");
+  }
+}
 function getConfig() {
   const serverUrl = conf.get("serverUrl");
-  const token = conf.get("token");
-  if (!serverUrl || !token) {
+  const rawToken = conf.get("token");
+  if (!serverUrl || !rawToken) {
     console.error("ucli is not configured. Run: ucli configure --server <url> --token <jwt>");
     process.exit(1);
   }
+  const token = decryptValue(rawToken);
+  if (!isEncrypted(rawToken)) {
+    conf.set("token", encryptValue(token));
+    hardenConfigPermissions();
+  }
   return { serverUrl, token };
 }
 function saveConfig(cfg) {
   conf.set("serverUrl", cfg.serverUrl);
-  conf.set("token", cfg.token);
+  conf.set("token", encryptValue(cfg.token));
+  hardenConfigPermissions();
 }
 function isConfigured() {
   return Boolean(conf.get("serverUrl") && conf.get("token"));
@@ -103,11 +176,17 @@ function registerConfigure(program2) {
 }
 
 // src/lib/cache.ts
-import { readFile, writeFile, mkdir } from "fs/promises";
+import { readFile, writeFile, mkdir, unlink, chmod } from "fs/promises";
 import { join as join2 } from "path";
 var LIST_CACHE_FILE = join2(cacheDir, "oas-list.json");
 async function ensureCacheDir() {
-  await mkdir(cacheDir, { recursive: true });
+  await mkdir(cacheDir, { recursive: true, mode: 448 });
+}
+function redactEntries(entries) {
+  return entries.map((e) => ({
+    ...e,
+    authConfig: { type: e.authConfig["type"] ?? e.authType }
+  }));
 }
 async function readOASListCache() {
   try {
@@ -122,25 +201,45 @@ async function readOASListCache() {
 }
 async function writeOASListCache(entries, ttlSec) {
   await ensureCacheDir();
-  const cached = { entries, fetchedAt: Date.now(), ttlSec };
-  await writeFile(LIST_CACHE_FILE, JSON.stringify(cached, null, 2), "utf8");
+  const cached = { entries: redactEntries(entries), fetchedAt: Date.now(), ttlSec };
+  await writeFile(LIST_CACHE_FILE, JSON.stringify(cached, null, 2), { encoding: "utf8", mode: 384 });
+  await chmod(LIST_CACHE_FILE, 384);
 }
 async function clearOASListCache() {
   try {
-    await writeFile(LIST_CACHE_FILE, "{}", "utf8");
+    await unlink(LIST_CACHE_FILE);
   } catch {
   }
 }
+async function clearOASCache(name) {
+  try {
+    const raw = await readFile(LIST_CACHE_FILE, "utf8");
+    const cached = JSON.parse(raw);
+    const entries = Array.isArray(cached.entries) ? cached.entries.filter((e) => e.name !== name) : [];
+    if (entries.length === 0) {
+      await clearOASListCache();
+      return;
+    }
+    const next = {
+      entries,
+      fetchedAt: cached.fetchedAt ?? Date.now(),
+      ttlSec: cached.ttlSec ?? 0
+    };
+    await writeFile(LIST_CACHE_FILE, JSON.stringify(next, null, 2), { encoding: "utf8", mode: 384 });
+  } catch {
+    await clearOASListCache();
+  }
+}
 
 // src/lib/oas-runner.ts
 import { spawn } from "child_process";
 import { createRequire } from "module";
-import { join as join3, dirname } from "path";
+import { join as join3, dirname as dirname2 } from "path";
 var require2 = createRequire(import.meta.url);
 function resolveOpenapi2CliBin() {
   try {
     const pkgPath = require2.resolve("@tronsfey/openapi2cli/package.json");
-    const pkgDir = dirname(pkgPath);
+    const pkgDir = dirname2(pkgPath);
     const pkg2 = require2("@tronsfey/openapi2cli/package.json");
     const binEntry = pkg2.bin?.["openapi2cli"] ?? "bin/openapi2cli.js";
     return join3(pkgDir, binEntry);
@@ -170,6 +269,58 @@ function buildAuthEnv(entry) {
       return {};
   }
 }
+var SAFE_ENV_KEYS = [
+  // System essentials
+  "PATH",
+  "HOME",
+  "USER",
+  "LOGNAME",
+  "SHELL",
+  "TMPDIR",
+  "TMP",
+  "TEMP",
+  // Terminal / display
+  "TERM",
+  "COLORTERM",
+  "NO_COLOR",
+  "FORCE_COLOR",
+  "LANG",
+  "LC_ALL",
+  "LC_CTYPE",
+  "LC_MESSAGES",
+  "LC_COLLATE",
+  // Node.js
+  "NODE_ENV",
+  "NODE_PATH",
+  "NODE_OPTIONS",
+  "NODE_EXTRA_CA_CERTS",
+  // Network proxy (required for tools behind corporate proxies)
+  "HTTP_PROXY",
+  "HTTPS_PROXY",
+  "NO_PROXY",
+  "http_proxy",
+  "https_proxy",
+  "no_proxy",
+  // OS-specific
+  "SYSTEMROOT",
+  "COMSPEC",
+  "APPDATA",
+  "LOCALAPPDATA",
+  "PROGRAMFILES",
+  "XDG_RUNTIME_DIR",
+  "XDG_CONFIG_HOME",
+  "XDG_CACHE_HOME",
+  "XDG_DATA_HOME"
+];
+function buildSafeEnv(authEnv) {
+  const safe = {};
+  for (const key of SAFE_ENV_KEYS) {
+    if (process.env[key] !== void 0) {
+      safe[key] = process.env[key];
+    }
+  }
+  return { ...safe, ...authEnv };
+}
 async function runOperation(opts) {
   const bin = resolveOpenapi2CliBin();
   const { entry, operationArgs, format, query } = opts;
@@ -185,17 +336,13 @@ async function runOperation(opts) {
     ...operationArgs
   ];
   const authEnv = buildAuthEnv(entry);
-  await new Promise((resolve, reject) => {
+  await new Promise((resolve2, reject) => {
     const child = spawn(process.execPath, [bin, ...args], {
       stdio: "inherit",
-      env: {
-        ...process.env,
-        ...authEnv
-        // inject auth — not visible to parent shell
-      }
+      env: buildSafeEnv(authEnv)
     });
     child.on("close", (code) => {
-      if (code === 0) resolve();
+      if (code === 0) resolve2();
       else reject(new Error(`openapi2cli exited with code ${code}`));
     });
     child.on("error", reject);
@@ -211,7 +358,7 @@ async function getServiceHelp(entry) {
     String(entry.cacheTtl),
     "--help"
   ];
-  return new Promise((resolve, reject) => {
+  return new Promise((resolve2, reject) => {
     let output = "";
     const child = spawn(process.execPath, [bin, ...args], {
       stdio: ["ignore", "pipe", "pipe"]
@@ -222,7 +369,7 @@ async function getServiceHelp(entry) {
     child.stderr?.on("data", (d) => {
       output += d.toString();
     });
-    child.on("close", () => resolve(output));
+    child.on("close", () => resolve2(output));
     child.on("error", reject);
   });
 }
@@ -230,10 +377,14 @@ async function getServiceHelp(entry) {
 // src/commands/services.ts
 function registerServices(program2) {
   const services = program2.command("services").description("Manage and inspect available OAS services");
-  services.command("list").description("List all OAS services available in the current group").option("--no-cache", "Bypass local cache and fetch fresh from server").action(async (opts) => {
+  services.command("list").description("List all OAS services available in the current group").option("--refresh", "Bypass local cache and fetch fresh from server").option("--format <fmt>", "Output format: table | json | yaml", "table").option("--no-cache", "Bypass local cache and fetch fresh from server").action(async (opts) => {
     const cfg = getConfig();
     const client = new ServerClient(cfg);
-    let entries = opts.cache ? await readOASListCache() : null;
+    if (!opts.cache) {
+      process.emitWarning("The --no-cache flag is deprecated. Please use --refresh instead.");
+    }
+    const useCache = opts.cache && !opts.refresh;
+    let entries = useCache ? await readOASListCache() : null;
     if (!entries) {
       entries = await client.listOAS();
       if (entries.length > 0) {
@@ -241,10 +392,19 @@ function registerServices(program2) {
         await writeOASListCache(entries, maxTtl);
       }
     }
+    const format = (opts.format ?? "table").toLowerCase();
     if (entries.length === 0) {
       console.log("No services registered in this group.");
       return;
     }
+    if (format === "json") {
+      const safe = entries.map(({ authConfig, ...rest }) => ({
+        ...rest,
+        authConfig: { type: authConfig["type"] ?? rest.authType }
+      }));
+      console.log(JSON.stringify(safe, null, 2));
+      return;
+    }
     const nameWidth = Math.max(10, ...entries.map((e) => e.name.length));
     console.log(`
 ${"SERVICE".padEnd(nameWidth)}  AUTH      DESCRIPTION`);
@@ -256,7 +416,7 @@ ${"SERVICE".padEnd(nameWidth)}  AUTH      DESCRIPTION`);
     }
     console.log();
   });
-  services.command("info <name>").description("Show detailed information and available operations for a service").action(async (name) => {
+  services.command("info <name>").description("Show detailed information and available operations for a service").option("--format <fmt>", "Output format: table | json | yaml", "table").action(async (name, opts) => {
     const cfg = getConfig();
     const client = new ServerClient(cfg);
     let entry;
@@ -267,6 +427,18 @@ ${"SERVICE".padEnd(nameWidth)}  AUTH      DESCRIPTION`);
       console.error("Run `ucli services list` to see available services.");
       process.exit(1);
     }
+    const help = await getServiceHelp(entry);
+    const format = (opts.format ?? "table").toLowerCase();
+    if (format === "json") {
+      const { authConfig, ...rest } = entry;
+      const safe = {
+        ...rest,
+        authConfig: { type: authConfig["type"] ?? rest.authType },
+        operationsHelp: help
+      };
+      console.log(JSON.stringify(safe, null, 2));
+      return;
+    }
     console.log(`
 Service: ${entry.name}`);
     console.log(`Description: ${entry.description || "(none)"}`);
@@ -276,14 +448,22 @@ Service: ${entry.name}`);
     console.log(`Cache TTL: ${entry.cacheTtl}s`);
     console.log("\nAvailable operations:");
     console.log("\u2500".repeat(60));
-    const help = await getServiceHelp(entry);
     console.log(help);
   });
 }
 
 // src/commands/run.ts
 function registerRun(program2) {
-  program2.command("run <service> [args...]").description("Execute an operation on a service").option("--format <fmt>", "Output format: json | table | yaml", "json").option("--query <jmespath>", "Filter response with JMESPath expression").option("--data <json>", "Request body (JSON string or @filename)").allowUnknownOption(true).action(async (service, args, opts) => {
+  program2.command("run [service] [args...]").description("Execute an operation on a service").option("--service <name>", "Service name (from `services list`)").option("--operation <id>", "OperationId to execute").option("--params <json>", "JSON string of operation parameters").option("--format <fmt>", "Output format: json | table | yaml", "json").option("--query <jmespath>", "Filter response with JMESPath expression").option("--data <json>", "Request body (JSON string or @filename)").allowUnknownOption(true).action(async (serviceArg, args, opts) => {
+    if (serviceArg && opts.service && serviceArg !== opts.service) {
+      console.error(`Conflicting service values: positional "${serviceArg}" and --service "${opts.service}". Use either the positional argument or --service flag, not both.`);
+      process.exit(1);
+    }
+    const service = opts.service ?? serviceArg;
+    if (!service) {
+      console.error("Missing service name. Use positional <service> or --service <name>.");
+      process.exit(1);
+    }
     const cfg = getConfig();
     const client = new ServerClient(cfg);
     let entry;
@@ -295,11 +475,29 @@ function registerRun(program2) {
       process.exit(1);
     }
     const extraArgs = opts.args ?? [];
-    const operationArgs = [
-      ...args,
-      ...extraArgs,
-      ...opts.data ? ["--data", opts.data] : []
-    ];
+    const operationArgs = [...args, ...extraArgs];
+    if (opts.operation) {
+      operationArgs.unshift(opts.operation);
+    }
+    if (opts.params) {
+      let parsed;
+      try {
+        parsed = JSON.parse(opts.params);
+      } catch {
+        console.error(`Invalid --params JSON. Example: --params '{"petId": 1}'`);
+        process.exit(1);
+      }
+      if (parsed && typeof parsed === "object" && !Array.isArray(parsed)) {
+        for (const [k, v] of Object.entries(parsed)) {
+          if (v === void 0 || v === null) continue;
+          const strVal = typeof v === "object" ? JSON.stringify(v) : String(v);
+          operationArgs.push(`--${k}`, strVal);
+        }
+      }
+    }
+    if (opts.data) {
+      operationArgs.push("--data", opts.data);
+    }
     const format = opts.format;
     const query = opts.query;
     try {
@@ -318,11 +516,15 @@ function registerRun(program2) {
 
 // src/commands/refresh.ts
 function registerRefresh(program2) {
-  program2.command("refresh").description("Force-refresh the local OAS cache from the server").action(async () => {
+  program2.command("refresh").description("Force-refresh the local OAS cache from the server").option("--service <name>", "Refresh only a specific service").action(async (opts) => {
     const cfg = getConfig();
     const client = new ServerClient(cfg);
     console.log("Refreshing OAS list from server...");
-    await clearOASListCache();
+    if (opts.service) {
+      await clearOASCache(opts.service);
+    } else {
+      await clearOASListCache();
+    }
     const entries = await client.listOAS();
     if (entries.length > 0) {
       const maxTtl = Math.min(...entries.map((e) => e.cacheTtl));
@@ -427,10 +629,24 @@ ERRORS
 }
 
 // src/lib/mcp-runner.ts
+function resolve(mod, name) {
+  if (typeof mod[name] === "function") return mod[name];
+  if (mod.default && typeof mod.default[name] === "function") return mod.default[name];
+  throw new Error(`Cannot resolve export "${name}" from module`);
+}
 async function getMcp2cli() {
-  const clientMod = await import("./client-O6QINOP2.js");
-  const runnerMod = await import("./runner-VTUGJUH7.js");
-  return { createMcpClient: clientMod.createMcpClient, getTools: runnerMod.getTools, runTool: runnerMod.runTool };
+  const clientMod = await import("./client-3I7XBDJU.js");
+  const runnerMod = await import("./runner-GVYIJNHN.js");
+  return {
+    createMcpClient: resolve(clientMod, "createMcpClient"),
+    getTools: resolve(runnerMod, "getTools"),
+    runTool: resolve(runnerMod, "runTool")
+  };
+}
+async function closeClient(client) {
+  if (typeof client.close === "function") {
+    await client.close();
+  }
 }
 function buildMcpConfig(entry) {
   const base = { type: entry.transport };
@@ -451,23 +667,42 @@ async function listMcpTools(entry) {
   const { createMcpClient, getTools } = await getMcp2cli();
   const config = buildMcpConfig(entry);
   const client = await createMcpClient(config);
-  const tools = await getTools(client, config, { noCache: true });
-  return tools;
+  try {
+    const tools = await getTools(client, config, { noCache: true });
+    return tools;
+  } finally {
+    await closeClient(client);
+  }
 }
 async function runMcpTool(entry, toolName, rawArgs) {
   const { createMcpClient, getTools, runTool } = await getMcp2cli();
   const config = buildMcpConfig(entry);
   const client = await createMcpClient(config);
-  const tools = await getTools(client, config, { noCache: false, cacheTtl: 3600 });
-  const tool = tools.find((t) => t.name === toolName);
-  if (!tool) throw new Error(`Tool "${toolName}" not found on MCP server "${entry.name}"`);
-  await runTool(client, tool, rawArgs, {});
+  try {
+    const tools = await getTools(client, config, { noCache: false, cacheTtl: 3600 });
+    const tool = tools.find((t) => t.name === toolName);
+    if (!tool) throw new Error(`Tool "${toolName}" not found on MCP server "${entry.name}"`);
+    const normalizedArgs = [];
+    for (const arg of rawArgs) {
+      if (arg.includes("=") && !arg.startsWith("--")) {
+        const idx = arg.indexOf("=");
+        const key = arg.slice(0, idx);
+        const value = arg.slice(idx + 1);
+        normalizedArgs.push(`--${key}`, value);
+      } else {
+        normalizedArgs.push(arg);
+      }
+    }
+    await runTool(client, tool, normalizedArgs, {});
+  } finally {
+    await closeClient(client);
+  }
 }
 
 // src/commands/mcp.ts
 function registerMcp(program2) {
   const mcp = program2.command("mcp").description("Interact with MCP servers registered in your group");
-  mcp.command("list").description("List all MCP servers available in the current group").action(async () => {
+  mcp.command("list").description("List all MCP servers available in the current group").option("--format <fmt>", "Output format: table | json | yaml", "table").action(async (opts) => {
     const cfg = getConfig();
     const client = new ServerClient(cfg);
     const entries = await client.listMCP();
@@ -475,6 +710,15 @@ function registerMcp(program2) {
       console.log("No MCP servers registered in this group.");
       return;
     }
+    const format = (opts.format ?? "table").toLowerCase();
+    if (format === "json") {
+      const safe = entries.map(({ authConfig, ...rest }) => ({
+        ...rest,
+        authConfig: { type: authConfig.type }
+      }));
+      console.log(JSON.stringify(safe, null, 2));
+      return;
+    }
     const nameWidth = Math.max(10, ...entries.map((e) => e.name.length));
     console.log(`
 ${"SERVER".padEnd(nameWidth)}  TRANSPORT  DESCRIPTION`);
@@ -485,7 +729,7 @@ ${"SERVER".padEnd(nameWidth)}  TRANSPORT  DESCRIPTION`);
     }
     console.log();
   });
-  mcp.command("tools <server>").description("List tools available on a MCP server").action(async (serverName) => {
+  mcp.command("tools <server>").description("List tools available on a MCP server").option("--format <fmt>", "Output format: table | json", "table").action(async (serverName, opts) => {
     const cfg = getConfig();
     const client = new ServerClient(cfg);
     let entry;
@@ -507,6 +751,11 @@ ${"SERVER".padEnd(nameWidth)}  TRANSPORT  DESCRIPTION`);
       console.log(`No tools found on MCP server "${serverName}".`);
       return;
     }
+    const format = (opts.format ?? "table").toLowerCase();
+    if (format === "json") {
+      console.log(JSON.stringify(tools, null, 2));
+      return;
+    }
     console.log(`
 Tools on "${serverName}":`);
     console.log("\u2500".repeat(60));